Identity Server 3 Access Token Validation endpoint fails with Audience Validation Failed

Question

I have an IdentityServer3 instance set up and I am requesting a token using the authorize endpoint (/core/connect/authorize).

My application requesting the token is an iOS application.

I pass the following parameters;

client_id=<clientid>
response_type=id_token
scope=openid
redirect_uri=<redirecturi>
state=<state>
nonce=<nonce>

This then opens up a web view for me, I enter my credentials and it returns the redirect_uri with the #id_token appended to the url.

To validate the token I pass it to the access token validation endpoint (/core/connect/accesstokenvalidation) of my IdentityServer. I append ?token=<access token received from login>.

I then get the response

{ "Message": "invalid_token" }

When I check the log

System.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audience: '<clientid>'. Did not match: validationParamters.ValidAudience: '<identity_server_host>/resources' or validationParameters.ValidAudiences: 'null'

What am I doing wrong here? Surely the IdentityServer that created the token should validate it as valid?

Answer 1

You don't request an access token in your example. With

response_type=id_token

you only get the identity token which you can validate against the identity token endpoint. To get the access token with your request you must change your request to

response_type=id_token token